/legal/terms and is entered into automatically when the Tenant accepts the Terms. No separate signature is required unless the parties agree otherwise in writing.1.1 Subject matter. The Processor processes personal data on behalf of the Controller for the purpose of providing the Exceptao compliance platform and its enabled Modules (Exceptions, Risk Register, NIS2 Schools, and future Modules) as described in the Terms.
1.2 Duration. This DPA is in force for the duration of the subscription agreement between the parties. Upon expiry or termination of the subscription, the Processor’s obligations regarding data return and deletion apply as set out in §9 below.
1.3 Hierarchy. In the event of a conflict between this DPA and the Terms on a matter of data protection, this DPA prevails.
The Processor processes personal data solely to:
The Processor does not process personal data for its own independent commercial purposes (such as profiling, advertising, or sale to third parties). Processing occurs only on documented instructions from the Controller (via the Service interface or written instruction), except where required by applicable EU or Member State law.
| Category | Examples |
|---|---|
| Identifiers | Name, email address, User ID, display name |
| Authentication credentials | Password hashes (Argon2id), TOTP secrets (AES-encrypted), WebAuthn credential IDs and public keys |
| Network data | IP addresses, user-agent strings (login events and audit log entries) |
| Audit event data | Action codes, target object type and ID, before/after state summaries, timestamps, cryptographic hashes |
| Business content uploaded by the Controller | Exception descriptions and justifications, evidence files, risk register entries, incident reports, control-task records — which may contain personal data about third parties at the Controller’s discretion |
| Session data | Session tokens (server-side), session timestamps |
| Communication data | Email addresses and names used for notification delivery |
The Processor undertakes to:
5.1 Process only on instructions. Process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law. In that case, the Processor will inform the Controller before processing, unless prohibited by law from doing so on grounds of important public interest.
5.2 Confidentiality of personnel. Ensure that all persons authorised to process the Controller’s personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality.
5.3 Implement technical and organisational measures. Implement and maintain the technical and organisational security measures described in Annex II of this DPA and in the Security Whitepaper at /legal/security. The Processor will not materially reduce those measures during the term of this DPA without giving the Controller at least 30 days’ prior written notice.
5.4 Engage sub-processors only under §6. Respect the sub-processor engagement conditions set out in §6 of this DPA.
5.5 Assist with data subject rights. Assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under GDPR Chapter III (Arts. 15–22), to the extent technically feasible given the Controller’s role and the architecture of the Service. The Processor will forward any data subject request received directly to the Controller without undue delay.
5.6 Assist with compliance obligations. Assist the Controller in ensuring compliance with GDPR Arts. 32–36 (security measures, breach notification, data protection impact assessment, prior consultation with supervisory authority), having regard to the nature of processing and the information available to the Processor.
5.7 Data return or deletion. At the Controller’s choice, either: (a) delete all personal data processed on behalf of the Controller, or (b) return all personal data in a structured, machine-readable format, upon termination of the service agreement. The Processor will delete existing copies unless EU or Member State law requires further storage (see §9).
5.8 Audit and information. Make available to the Controller all information reasonably necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits and inspections as described in §10.
5.9 Notification of unlawful instructions. Immediately inform the Controller if, in the Processor’s opinion, an instruction given by the Controller infringes GDPR or other applicable EU or Member State data protection provisions.
6.1 General authorisation. The Controller grants the Processor general authorisation to engage the sub-processors listed in Annex I of this DPA and at /legal/subprocessors. The up-to-date list is maintained at /legal/subprocessors and includes the purpose, data categories, region, security posture, and DPA status of each sub-processor.
6.2 Change notification. The Processor will notify the Controller at least 30 calendar days in advance of any intended addition to or replacement of a sub-processor by updating the list at /legal/subprocessors and sending an email notification to the Controller’s registered Tenant Admin email address. The notification will include: the name and purpose of the new or replacement sub-processor, the data categories to be processed, and the region.
6.3 Right to object. The Controller may object to the intended change within the 30-day notice period by emailing legal@exceptao.com, stating the specific grounds for objection. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the subscription without penalty, effective from the date the change would take effect, with a pro-rated refund of prepaid fees.
6.4 Sub-processor obligations. The Processor imposes data protection obligations on all sub-processors that are equivalent to those in this DPA, by contract. Where a sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable to the Controller for the performance of those obligations.
6.5 No further sub-processing. Sub-processors may not engage further sub-processors for the processing of the Controller’s personal data without the Processor’s prior written consent and notification to the Controller under §6.2.
7.1 Data residency. Personal data is stored in the region selected by the Controller at Tenant creation:
7.2 No cross-region business data transfer. Customer business data does not cross regions. Control-plane metadata (tenant routing, subscription records) is stored in the EU region and contains no customer business data.
7.3 Sub-processor transfers. Where sub-processors are located outside the EU/EEA, or where their parent entities are incorporated in countries without an EU adequacy decision, the Processor ensures that appropriate safeguards are in place under GDPR Chapter V, specifically: Standard Contractual Clauses (Module 1, 2, or 3 as applicable) adopted by the European Commission Decision of 4 June 2021; Transfer Impact Assessments where required; and supplementary measures (e.g. encryption before transfer) where necessary. Details of the transfer safeguards for each sub-processor are documented at /legal/subprocessors.
8.1 Notification timeline. The Processor will notify the Controller without undue delay, and in any case no later than 72 hours after the Processor becomes aware of a personal data breach affecting the Controller’s data. This timeline is consistent with GDPR Art. 33 (notification to supervisory authority) and NIS2 Art. 23 (incident reporting) — the Processor’s 72-hour notification to the Controller enables the Controller to meet its own regulatory deadlines.
8.2 Content of notification. The breach notification will include, to the extent known at the time of notification and supplemented as information becomes available: (a) a description of the nature of the breach; (b) the categories and approximate number of personal data records concerned; (c) the contact details of the data protection contact point; (d) a description of the likely consequences; (e) a description of the measures taken or proposed.
8.3 Cooperation. The Processor will cooperate with the Controller’s breach management, provide reasonable assistance for notifications to supervisory authorities and affected data subjects, and implement corrective measures without undue delay.
8.4 Initial partial notification. Where it is not possible to provide all information within 72 hours, the Processor will provide an initial partial notification within 72 hours and supplement it as information becomes available.
9.1 Export window. During the term of the subscription, and for 30 days after expiry or termination (“Data Retention Period”), the Controller may export all Service Data via the tenant data-export function. The Processor will also provide a complete data export in a structured, machine-readable format (JSON and/or CSV) within 30 days of a written request from the Controller.
9.2 Deletion. After the Data Retention Period, all personal data processed on behalf of the Controller will be securely and irreversibly deleted from the Processor’s active systems, including databases, file storage, caches, and email queues. Deletion from backup media will occur within the normal backup expiry cycle, subject to the retention periods in §9.3.
9.3 Legal retention carve-outs. The following data may be retained beyond the Data Retention Period to the extent required by applicable law: billing records (5 years from end of billing period — Polish Accounting Act); audit log records with pseudonymised actor identity (for the contractually agreed audit log retention period); records necessary to defend or establish legal claims.
9.4 Deletion certificate. On written request, the Processor will provide the Controller with a deletion certificate within 30 days of confirmed deletion of all active data.
9.5 No retention for Processor’s own purposes. The Processor will not retain any personal data processed under this DPA for its own commercial purposes after termination.
10.1 Information provision. The Processor will provide the Controller with all information reasonably necessary to demonstrate compliance with GDPR Art. 28, including by completing standard security questionnaires and providing relevant certifications.
10.2 On-site audits. The Controller (or its mandated third-party auditor) may conduct an audit, subject to: (a) at least 30 calendar days’ written notice; (b) scope limited to matters relevant to this DPA; (c) no more than one audit per 12-month period unless a breach has occurred; (d) the Controller bears the cost of the audit unless it reveals material non-compliance; (e) a confidentiality agreement must be signed before the audit.
10.3 Certification-based assurance. The Processor may satisfy part or all of the audit obligation by providing relevant certifications (e.g. ISO 27001 certificate, SOC 2 Type II report — when obtained), security questionnaire responses, or third-party audit reports, where these cover the scope of the requested audit.
11.1 Where the Controller instructs the erasure of a data subject’s personal data, and that data subject’s identity appears in audit log rows (as actor email address and/or actor IP address), the Processor will pseudonymise those fields by replacing them with a stable, non-reversible tombstone identifier (actor_tombstone_<uuid>).
11.2 The cryptographic hash chain of the audit log is preserved over the tombstone value: the hash of each row containing a tombstone is computed over the tombstone, not the original identity. This means the chain remains intact and verifiable.
11.3 The audit event record itself (action, timestamp, target object, hash) is retained because deleting or altering the record would destroy the chain integrity of all downstream rows, which would undermine the core security and compliance purpose of the audit log.
11.4 The legal basis for retaining the pseudonymised audit event record is legitimate interest in audit integrity (GDPR Art. 6(1)(f)). The Controller, by entering into this DPA, acknowledges and accepts this treatment as the technically and legally correct response to a right-to-erasure request affecting audit log rows. The Processor will document the legal basis assessment per erasure request and provide it to the Controller on request.
12.1 Where the Controller determines that a DPIA is required under GDPR Art. 35, the Processor will provide reasonable assistance in preparing the DPIA, including by providing this DPA, the Security Whitepaper, the ROPA at /legal/ropa, and responding to reasonable information requests.
12.2 The Processor will notify the Controller if the Processor reasonably believes that processing carried out under this DPA is of a type likely to result in a high risk to data subjects’ rights.
This DPA is governed by the law of Poland. Any dispute arising from or relating to this DPA will be subject to the jurisdiction of the courts of Poland, consistent with §17 of the Terms.
The current sub-processor list is maintained at /legal/subprocessors. At the time of this DPA’s publication, active sub-processors are:
| Sub-processor | Registered location | Purpose | Data categories | Transfer basis |
|---|---|---|---|---|
| Cloudflare, Inc. | San Francisco, CA, USA (processing in EU) | CDN, WAF, Tunnel, R2 object storage | IP addresses, request metadata (CDN/WAF); encrypted evidence files and backups (R2) | SCCs (Module 2); R2 jurisdiction: EU |
| Backblaze, Inc. | San Mateo, CA, USA (processing in EU) | Secondary encrypted backup storage | GPG-encrypted backup archives only | SCCs (Module 2); EU storage region |
| Microsoft Corporation | Redmond, WA, USA (processing in EU) | Outbound transactional email via Graph API | Recipient email address, name, notification content | SCCs (Module 2); EU M365 tenant |
HashiCorp Vault is self-hosted on the Processor’s own VPS in the EU and is not a sub-processor within the meaning of GDPR Art. 28.
The following technical and organisational measures (“TOMs”) are implemented and maintained by the Processor. The full technical description is in the Security Whitepaper at /legal/security.
app (CRUD, no DDL), audit_writer (INSERT-only on audit_log; no UPDATE or DELETE), superadmin (BYPASSRLS, used only for operator cross-tenant panel — all actions audit-logged), migrator (DDL; used only for migrations, not runtime).current_setting('app.current_tenant_id') against the row’s tenant_id column. Even the table owner cannot bypass FORCE RLS.(app.current_tenant_id, app.current_org_unit_id) is set within a SET LOCAL block at the start of each request transaction and expires at transaction end. pgbouncer operates in transaction pooling mode, so no GUC value leaks between connections.org_unit_id) scopes access for site-bound roles in multi-institution deployments (e.g. JST tenants with nested school units).Strict-Transport-Security: max-age=63072000; includeSubDomains; preload).row_hash_n = sha256(prev_hash_n-1 || canonical_json(row_n)) where canonical_json is RFC 8785 JSON Canonicalization Scheme over a versioned, explicit field list.audit_writer): INSERT privilege only; no UPDATE or DELETE. CI pipeline verifies this privilege set on every deployment.row_hash per tenant into the audit_anchor table.row_hash in audit_log against the latest anchor; discrepancy triggers a chain_discontinuity anchor event and operator notification.GET /api/audit/verify walks the full chain for the requesting tenant and returns a machine-readable result.security@exceptao.com; .well-known/security.txt published at each brand domain.